The age of the “Jetsons” has arrived. Video conferencing and other multimedia communication is now a common place commodity. With the advent of personal computer based video conferencing capabilities, the capability of multimedia communication between devices housed on local area networks (LAN) is essential. One primary concern today is allowing parties to participate in network based video conferencing without compromising the security of their respective networks.
One way to secure a LAN is by using a firewall. A firewall is a system that protects a LAN that is connected to a public network, such as the Internet, from unauthorized access. One example of a firewall is Firewall-I marketed by Check Point.
FIG. 1 is a system diagram illustrating a typical network configuration. A LAN 110 is shown to include computers 111 with a video camera 112 and/or microphone & speakers 113 connected to each computer 111. These computers 111, such as EP2 115, may participate in a multimedia communication and conferencing session by utilizing a communication protocol such as the H.323 Protocol or the Session Initiation Protocol (SIP). Detailed information regarding H.323 protocol can be found on ITU's site: www.itu.org. SIP is an application-layer control or signaling protocol that operates to create, modify, and terminate sessions with one or more participants. More information about SIP Currently Proposed Std. RFC 2543 or 3261 can be found in www.ietf.org. In addition, the computers 111, such as EP2 115, may enter a multimedia communication and conferencing session with entities located external to the LAN 110 (i.e., located on the Internet), such as EP1 145, through an IP Gateway/router 130.
A multimedia communications session based on the H.323 protocol or a similar protocol, typically includes two major groups of data streams. One group of data streams is a group of call management data streams. The call management data streams include call setup, call control, call tear-down, information, etc. that is used to manage a session. A second group of data streams is a group of call media data streams. The call media data streams include the audio and video data or multimedia data that comprises the information exchanged during the multimedia communications session.
In a typical configuration as depicted in FIG. 1, the call management and call media data streams for a multimedia communications session with an entity external to the LAN will need to travel over communication lines 150 to the firewall 120 and then over communication line 160 to an IP Gateway/router 130 through Internet 140 to EP1 145. Thus, it is apparent that a computer that resides on a firewall protected LAN may need to engage in a multimedia session with a computer external to the LAN.
For security reasons, network managers on IP networks usually want to restrict external access to their networks. Most of the time they will only open TCP ports for Telnet, FTP, and some other common services. To accomplish this, the network managers will configure their IP routers (sometimes referred to as gateways) to filter out access to different ports. These filters are commonly referred to as firewalls. IP security firewalls may be configured in a way that does not allow unauthorized connections.
In order for a broad array of devices to access a firewall-protected network, the network manager must open certain TCP/UDP (User Datagram Protocol) ports required by the accessing device. Part of the call management and call media data streams utilized by most video conferencing equipment utilize dynamic TCP/UDP ports. For these data streams to pass through a firewall, the firewall must be compatible with the H.323, or any other applicable protocol, and open the appropriate TCP/UDP ports that are necessary for a particular session. If this is not performed, the firewall typically will block portions of the multimedia data stream and thus, drop desirable audio/video data.
Another concern is that for each TCP/UDP port that is opened, a potential security breach of the firewall through which adverse parties may exploit the protected network is created. Thus, there is a need in the art for a technique to allow devices on firewall protected networks to communicate with each other without breaching the security of the firewall or without losing important data.
Only a few techniques have been utilized as an attempt to address this need in the art. One such technique is to build an additional separate LAN that is dedicated to audio/video communication. The dedicated LAN hosts only video/audio endpoints (e.g., a terminal on a network capable of two way audio and/or video communication with other endpoints). The dedicated LAN is connected directly to a public network without a firewall. Thus, a multimedia communications session can be entered by a device attached to the dedicated LAN without decreasing the security of the main LAN. This technique is inadequate since it completely eliminates the benefit sought after by having a LAN in the first place—interconnected equipment. The use of a separate network isolates the audio/video equipment and increases the overall cost of the network and network management.
Another technique is to utilize a firewall that supports multimedia communication by being compatible with a communication protocol like H.323 or a similar protocol. This technique allows multimedia communication data streams to pass into and out of the LAN. However, a firewall that is compatible with communication standards such as H.323 or a similar protocol would be complex to create, as well as cost prohibitive. Thus, the use of a customized firewall that supports a complicated communications protocol such as the H.323 protocol is not a viable technique to solve the problems in the art.
Another technique that may be employed is to create “holes” in the firewall enabling the multimedia communications data stream to penetrate through the firewall. For example, the firewall may be configured to allow access to all UDP ports. This approach reduces the security of the LAN, because it opens up more holes in the LAN, which may allow unauthorized use of the LAN.
Therefore, there is a need in the art for a system and method to handle multimedia communications without building a separate LAN for strictly carrying the video/audio communications without a firewall. There is further a need in the art to handle multimedia communications without having to upgrade a conventional firewall to handle the H.323 protocol or similar protocol. It is therefore evident that there is a need in the art to allow LAN connected computers to securely communicate with other computers external to the LAN, without diminishing the security of the LAN.